Skip to main content
SMTP, or Simple Mail Transfer Protocol, is a mail server that sends and receives mail from a client. To directly interact with the service, we can use telnet and initiate the session with HELO or EHLO.

Unauthenticated Enumeration

Users

Authentication is not required for enumerating users. We can enumerate users using the VRFY command or the following tools: 
nmap --script smtp-enum-users [args]

smtp-user-enum
- `sudo apt install smtp-user-enum`
- look for <no such user>. else, extend -w time

Metasploit: auxiliary/scanner/smtp/smtp_enum

Open-Relay

An SMTP open-relay server is a configuration that allows anyone to send mail to the server without authentication. This means spoofing an email is possible. nmap has a script that will reveal if the target is configred as an open-relay server: 
nmap --script smtp-open-relay -p25 [target]
PORT   STATE SERVICE
25/tcp open  smtp
| smtp-open-relay: Server is an open relay (8/16 tests)
|  MAIL FROM:<> -> RCPT TO:<relaytest@nmap.scanme.org>
<SNIP>